CCNP ENCOR 350-401 Exam Cram Notes

V. Security

1. Configure and verify device access control

1.1 Lines and password protection

To change the enable password, you use "enable password password".

To change the enable secret, you use "enable secret password".

Enable / Disable - Enables or Disables privileged exec mode.

There are five different types of passwords:

1. Enable Password - A global command that restricts access to privileged exec mode. This is a non-encrypted password.

2. Enable Secret - Assigns a one-way encryptographic secret password, available in versions 10.3 and up. This secret password is used instead of the enable password when it exists.

3. Virtual Terminal Password (vty password): The virtual terminal password is used for Telnet sessions into the router. The password can be changed at any time. It can be set up when you configure the router from the console. There can be five distinct passwords corresponding to each vty (vty0 to vty4) or there can be a single password for all vtys.

4. Auxiliary Password: Auxiliary password is used to set password to the auxiliary port. This port is used to access a router through a modem.

5. Console Password: Console password is used to set the console port password.

All passwords configured on an IOS device, with the exception of the passwords configured with enable secret password, are stored in clear-text in the device configuration file. This means that all that attacker needs to do to find out the passwords is to run the show running-config command.

By using "service password encryption" command in global configuration mode, the console and VTY passwords are displayed in encrypted format, making it difficult for a hacker to steal the passwords.

The following are the options considered as a security issues with current configuration of Switch A

The wording in the banner is not appropriate. It should typically read something like "do not enter if you dont belong message".

Virtual terminal lines are protected only by a password requirement.

telnet connections can be used to remotely manage the switch. (see, line vty 5 15 , and login) 

The option privilege mode is protected with an unencrypted password - is not relevant as no password is configured for privilege mode.

The option Cisco user will be granted privilege level 15 by default is not correct - as the user will only be granted privilege level 15 if configured.

The auxiliary password is used to set the password for the auxiliary port.

Assuming that you are at # prompt, the sequence of commands are:

RouterA#config t
RouterA(config)#line aux 0
RouterA(config-line)#login
RouterA(config-line)#password <password>

Now you are set with a password <password>. Type "<ctrl>Z " to take you to the # prompt or "exit" to go back to global configuration "RouterA(config)#" prompt.

Similar procedure is applicable for setting vty and console passwords as well.

By default, an IOS device will disconnect a console or VTY user after 10 minutes of inactivity. You can specify a different inactivity timer using the exec-timeout MINUTES SECONDS line mode command. For example, to disconnect a console user after 90 seconds of inactivity, Use the following command:

R1(config)#line console 0
R1(config-line)# exec-timeout 1 30

After 90 seconds of inactivity, the session will be disconnected and the user will need to supply the console password to log back in:

The encryption algorithm used by service password-encryption is a weak one, it is reversed easily. The hashing algorithm used by enable secret (md5) is not so easily broken.

1.2 Authentication and authorization using AAA

Given below are the steps in brief that one needs to go through for configuring AAA.

On the client side:

1. Configure AAA : aaa new model

2. Specify AAA server to be accessed by the client

tacacs-server host 192.168.1.2 key cisco@123

3. Create a name method list. MYAUTHLIST is used for example only. You can use whichever name you want.

aaa authentication login MYAUTHLIST group tacacs+ local

4. Create authorization method list to apply on users that have been authenticated.

aaa authorization exec MYAUTHORIZATIONLIST group tacacs+ local

5. Apply the method lists to a device interface

a. line vty 0 4

b. login authentication MYAUTHLIST

c. authorization exec MYUAUTHORIZATIONLIST

The sequence of steps in creating and applying a method list on a router are:

a. Enable AAA

b. Create method lists for authentication. You may create more than one method. The second method (local) is used only when the first method fails.

c. Apply the method lists per line/per interface

Typical configuration commands for enabling AAA, and creating a list method AUTHLIST, and applying the same on vty lines is given below:

Frisco(config)# aaa new-model
Frisco(config)# aaa authentication login AUTHLIST local
Frisco(config)# line vty 0 4
Frisco(config-line)# login authentication AUTHLIST

The given command is: aaa authentication login CONSOLE line

In the above command:

i) The named list is CONSOLE.

ii) There is only one authentication method (line).

Once a named list (in this example, CONSOLE) is created, it must be applied to a line or interface for it to come into effect. This is done using the login authentication list name command:

line con 0
exec-timeout 0 0
password cisco

login authentication CONSOLE

You need to enter the password "cisco" (configured on line con 0) to get console access. The default list, if specified, is used on tty, vty and aux.

Creating the method list.

R1(config)# aaa authentication login AUTHLIST local

Applying the method list to the VTY lines 0-4

R1(config)# line vty 0 4
R1(config-line)# login authentication AUTHLIST
R1(config-line)# exit

The syntax for a method list is as follows:

aaa type { default | list-name} method-1 [ method-2 method-3 method-4]

Given the AAA command: aaa authentication login default group radius local

In the above command:

1. AAA type is authentication login

2. The named list is the default one (default).

3. There are two authentication methods (group radius and local).

All users are authenticated using the Radius server (the first method). If the Radius server doesn't respond, then the router's local database is used (the second method). For local authentication, define the username name and password: username xxx password yyy

Because we are using the list default in the aaa authentication login command, login authentication is automatically applied for all login connections (such as tty, vty, console and aux)

For recording any switch events, you need to configure and enable Accounting module of the AAA.

WLC provides a failover system between radius servers. So if the first server does not reply, it tries the second. If the username does not show up in the first radius server, that radius server will most probably send back a radius reject which means the WLC should not authenticate the user. The 2nd radius server will not be checked. Some radius servers would allow customization and would then simply to answer if the user is not found, but even then. This means that if one user is not found on the first radius server, the WLC will mark that server dead and won't try it until the 2nd WLC fails.

TACACS+ uses TCP and provides separate authentication, authorization and accounting services. Port used by TACACS+ is TCP 49. The RADIUS or TACACS+ protocol can provide a central authentication protocol to authenticate users, routers, switches or servers

WLC provides a failover system between radius servers. So if the first server does not' reply, it tries the second. If the username does not show up in the first radius server, that radius server will most probably send back a radius reject which means the WLC should not authenticate the user. The 2nd radius server will not be checked. Some radius servers would allow customization and would then simply to answer if the user is not found, but even then. This means that if one user is not found on the first radius server, the WLC will mark that server dead and won't try it until the 2nd WLC fails.

2. Configure and verify infrastructure security features

2.1 ACLs

The syntax for extended access list is given below:

access-list access-list-number [dynamic dynamic-name [timeout minutes]]
{deny | permit} protocol source source-wildcard
destination destination-wildcard [precedence precedence]
[tos tos] [log | log-input] [time-range time-range-name]

As seen from the syntax, the source ip address precedes the destination. Extended access lists are applied close to source where as standard access lists are applied close to destination.

We can use the statement

access-list <access-list #> [permit/deny] [protocol] host <source-ip-address> <destination-ip-address> <destination-wildcard-mask>

To permit or deny a specific host from accessing a network. Note that if we use "host" command, source wild card mask is not required.

The syntax for extended access list is given below:

access-list access-list-number [dynamic dynamic-name [timeout minutes]]
{deny | permit} protocol source source-wildcard
destination destination-wildcard [precedence precedence]
[tos tos] [log | log-input] [time-range time-range-name]
Standard IP 1- 99 and 1300 - 1999
Extended IP 100 - 199 and 2000 - 2699

As seen from the syntax, the source ip address precedes the destination. Extended access lists are applied close to source where as standard access lists are applied close to destination.

The following statements permits access to VTYs (Router command prompt) from the 192.168.1.0/24 netblock while denying access from everywhere else:

RTA(config)# access-list 1 permit 192.168.1.0 0.0.0.255
RTA(config)# line vty 0 4
RTA(config-line)# access-class 1 in

2.2. CoPP

A control plane policing (CoPP): A policy applied to the control plane of a router to protect the CPU from high rates of traffic that could impact router stability. It was created with the sole purpose of protecting the CPU or control plane of a router.

The Control Plane Policing feature allows users to configure a quality of service (QoS) filter that manages the traffic flow of control plane packets to protect the control plane of Cisco IOS routers and switches against reconnaissance and denial-of-service (DoS) attacks. In this way, the control plane (CP) can help maintain packet forwarding and protocol states despite an attack or heavy traffic load on the router or switch.

Previous   Contents   Next


CCNP ENCOR Cram Notes Contents
certexams ad

simulationexams ad